0
0
SpringbootDebug / FixBeginner · 4 min read

How to Handle Security Exception in Spring Framework

In Spring, handle security exceptions by creating a class annotated with @ControllerAdvice to catch exceptions like AccessDeniedException or AuthenticationException. You can also customize Spring Security's AccessDeniedHandler and AuthenticationEntryPoint to control responses when security errors occur.
🔍

Why This Happens

Security exceptions in Spring occur when a user tries to access a resource they are not allowed to or when authentication fails. For example, if a user without the right role tries to access a protected page, Spring Security throws an AccessDeniedException. If the user is not logged in, an AuthenticationException may be thrown.

If these exceptions are not handled, the user sees a default error page or a stack trace, which is not user-friendly.

java
import org.springframework.security.access.AccessDeniedException;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class SampleController {

    @GetMapping("/admin")
    public String adminPage() {
        // Simulate access denied
        throw new AccessDeniedException("You are not allowed to access this page");
    }
}
Output
HTTP Status 403 – Forbidden Access is denied org.springframework.security.access.AccessDeniedException: You are not allowed to access this page
🔧

The Fix

To handle security exceptions gracefully, create a class with @ControllerAdvice and add methods annotated with @ExceptionHandler for specific exceptions. This lets you return friendly messages or custom error pages.

Alternatively, configure Spring Security's AccessDeniedHandler and AuthenticationEntryPoint to customize responses for access denied and authentication failures.

java
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@ControllerAdvice
public class SecurityExceptionHandler {

    @ExceptionHandler(AccessDeniedException.class)
    @ResponseStatus(HttpStatus.FORBIDDEN)
    @ResponseBody
    public String handleAccessDenied(AccessDeniedException ex) {
        return "Access denied: " + ex.getMessage();
    }

    @ExceptionHandler(AuthenticationException.class)
    @ResponseStatus(HttpStatus.UNAUTHORIZED)
    @ResponseBody
    public String handleAuthenticationException(AuthenticationException ex) {
        return "Authentication failed: " + ex.getMessage();
    }
}

@Component
public class CustomAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
        response.getWriter().write("Custom Access Denied Message: " + accessDeniedException.getMessage());
    }
}

@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        response.getWriter().write("Custom Authentication Required: " + authException.getMessage());
    }
}
Output
When accessing a forbidden page: HTTP 403 with body: Custom Access Denied Message: You are not allowed to access this page When authentication fails: HTTP 401 with body: Custom Authentication Required: Full authentication is required to access this resource
🛡️

Prevention

To avoid unhandled security exceptions, always configure exception handling in your Spring Security setup. Use @ControllerAdvice for global exception handling and customize AccessDeniedHandler and AuthenticationEntryPoint beans.

Test your security rules regularly and provide clear user feedback on authorization failures. Keep your Spring Security version updated to benefit from the latest fixes and features.

⚠️

Related Errors

  • AuthenticationCredentialsNotFoundException: Happens when no authentication info is found; fix by ensuring security context is set.
  • InsufficientAuthenticationException: Occurs when authentication is incomplete; fix by requiring full authentication before access.
  • InvalidCsrfTokenException: Happens when CSRF token is missing or invalid; fix by enabling CSRF protection properly.

Key Takeaways

Use @ControllerAdvice with @ExceptionHandler to catch and handle security exceptions globally.
Customize AccessDeniedHandler and AuthenticationEntryPoint to control HTTP responses for security errors.
Always test security rules to ensure users get clear, friendly error messages.
Keep Spring Security updated to avoid bugs and use latest features.
Understand common related exceptions to handle all security error cases properly.

Related by keyword

How to Handle Validation Exception in Spring Boot CorrectlyError HandlingSpring Boot vs Spring Framework: Key Differences and When to Use EachSpring Boot vs OtherHow to Handle DELETE Request in Spring Boot CorrectlyREST APIHow to Handle File Upload in Spring Boot: Simple GuideREST APIHow to Handle Form Data in Spring Boot: Simple GuideREST API

Up next

How to Use ProblemDetail in Spring Boot for Error HandlingWhat is ResponseEntityExceptionHandler in Spring Boot: ExplainedDev vs Prod Configuration in Spring Boot: Key Differences and UsageHow to Activate Profile in Spring Boot: Simple Guide

More in Security

How to Add Spring Security to Your Project QuicklyHow to Configure Authentication Manager in Spring BootHow to Configure CORS in Spring Security: Simple GuideHow to Configure Spring Security: Simple Setup Guide